Re: Spam and SYN Flood?

[Peter Kosinar <goober () ksp sk>]

Hello Curt,

> I've since enabled TCP_SYNCOOKIES as well as increased the SYN buffer to
> 4096, as well as shorten the amount of time that a SYN connection
> existed on the server.  What I'm looking for is, am I creating a denial
> of service for myself, or is this coming from somewhere else that I'm
> just not expecting.  If so, is there a way to trace this, or not?
>
> Example of syn_recv from netstat -anp output
>
> (this can go on for about 1500 connections, so that's why only about 15
> listed)

At the first glance, it seems you're blocking the connections too late -- 
i.e. after the initial SYN packet had been received. I haven't played with 
ipchains for ages, but couldn't you, by accident, have blocked the 
communication in the other direction instead of the right one? That would 
effectively block the SYN/ACK which is sent as an answer for the initial 
SYN, thus causing the symptoms you're observing.

Peter

--
[Name] Peter Kosinar   [Quote] 2B | ~2B = exp(i*PI)   [ICQ] 134813278